Welcome! Log In Create A New Profile

Advanced

Re: There is a newer OCSP response but was not provided by the server

September 23, 2015 09:42AM
> Though not providing an OCSP response isn't a problem at all
> as OCSP stapling is just an optimization, and

Well. it *is* a problem.

Without stapling, each client that hits our server also hits the ocsp server.
In our case, the ocsp server is overloaded (StartSSL), and therefore we
can help by caching the response and delivering it ouselves.

There is another, more general problem: ocsp servers may log the hits.
Although this may not happen with StartSSL (we do not know for sure),
it is still a concern on privacy of clients and profiling of all sorts.

> there is no need to care about pre-caching things.

If it works, yes.
If it does not work, then we must update manually.
One wants to avoid the latter case.

> As long as there are clients who ask your server about an OCSP response
>- nginx will load it and will provide it to clients as needed.

It is *not* working. Please move on with the wishful thinking. It would be
great if things were as you say. In reality, they are not.

I think we agree that the following openssl test would be sufficient
and good to ask the server about an OCSP response. In practice,
nginx is still not delivering as intended.

echo QUIT \
| openssl s_client \
-CAfile /etc/ssl/ca-bundle.pem \
-connect $fqdn:443 \
-servername $fqdn \
-tlsextdebug \
-status 2>&1

where fqdn is the server's address.
Subject Author Posted

There is a newer OCSP response but was not provided by the server

173279834462 September 22, 2015 05:33AM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 22, 2015 09:02AM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 22, 2015 05:21PM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 08:34AM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 09:42AM

Re: There is a newer OCSP response but was not provided by the server

itpp2012 September 23, 2015 11:29AM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 10:50AM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 11:39AM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 12:18PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 12:53PM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 01:22PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:33PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:35PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:39PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:41PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 02:22PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 78
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready